Apple have the right idea... I'd say all the vendors need to take a carefully balanced approach to security in the default configurations of their software. Leave services exposed to the network disabled by default, where possible. By all means, configure firewalls by default to block all non-established incoming connections to low port numbers, but for heaven's sake don't also block access to those ports from the local subnet as well. How would your users cope if all their shared printers and file servers suddenly became inaccessible because NetBIOS was universally blocked by new operating system "security features"? I'd hazard a guess that after they've called their ISP support team a couple of hunderd times, they'll just switch the firewall off... Your firewall rules should automatically open ports when services are explicitly enabled, and should be able to cope with laptops roaming between home and office where the local subnet addresses may change. If the firewall doesn't detect this, then you're going to cause a whole new world of support problems. - Matt